Re: [squid-users] transparent proxy with authentication

From: Henrik Nordstrom <[email protected]>
Date: Tue, 1 Nov 2005 16:09:31 +0100 (CET)

On Tue, 1 Nov 2005, Senthil Murugan wrote:

> the original website that he/she was trying to access. But this time the
> browser will not send the cookie credentials bcos, the is a different domain.
> You explained as, "since the proxy has the full control of the traffic
> passing thru it, it can play games on the browser and issue cookie for all
> the visited domains". But with this, only the proxy can add the credentials
> but what actually needed is, only the proxy needs the credentials from the
> browser. How come the works or i am not understood clearly?

There is always the domain of the proxy, to which the browser sends it's
cookies. To transport the session cookie to another domain a double
redirect is used via the proxy domain, temporarily carrying the session
details in an "magic" URL to the visited domain which then issues the
cookie and redirects back to the originally requested page on the same
domain.

I have done this kind of solutions for reverse proxies using Squid, and it
is not hard (you only need a HTTP server maintaining the session, and a
little thinking on how to use external acls). Only difficulty wrt doing it
in a forward proxy is that you need to modify the proxy to not forward the
session cookie to the requested site and for this some new Squid
modifications will be needed (i.e. the filtering of the cookie is not
possible with what is available for Squid today)

Regards
Henrik
Received on Tue Nov 01 2005 - 08:09:35 MST

This archive was generated by hypermail pre-2.1.9 : Thu Dec 01 2005 - 12:00:09 MST